A day with .Net

My day to day experince in .net

Archive for May, 2018

GDPR(General Data Protection Regulation) rules for Software Developers and Architects

Posted by vivekcek on May 29, 2018

As a user I love GDPR. I own my data. No one can use my data for their advantage.
But as a software professional, I am concerned about the systems we are developing.
So to address the concerns of Software professionals, I am writing this blog.
I am going to write about some of the rules you need to implement in your systems to agree GDPR.

Hey what the @&** is this GDPR? I don’t want to follow.

If you don’t want to follow GDPR this is going to happen “Penalties and fines can be as high as 4% of annual revenue or €20 million, whichever is greater”.

So better to follow GDPR, I can help you.

What is GDPR?

Its a set of guidelines you need to implement in your systems to protect users personal or simply user data. User is the king. Even if you own the software system, User has the complete ownership of his data.

So What kind of data?

Any data that identify the user.
Name, Location, Health, Genetic, Social handles and more.
Other than that the data created by user like Orders, Messages, Tweets etc..

Is my website need to implement GDPR? Yes, You should if.

Your website collects data on visitors, such as via Google analytics.
Your site has a registration form.
You have e-commerce functionality on your site; that is, you collect information to process payments, orders etc…
You have a newsletter sign-up form.
You include social media links on your pages e.g. Facebook, Twitter etc…
You use a comments system for your articles, such as Disqus.
Your site has scripts that use cookies.
You have a contact form for users to get in touch.

So What are the rules?. The rules are not from actual regulation, I just grouped some guidelines as rules.

Rule 1

You should only collect data necessary for your business.

Rule 2

Data at rest and data in transmit must be encrypted.
Good encryption algorithm need to be used.
Protect your encryption key in a secure place.
Use SSL for data communication.
Encrypt your backups.
You should inform user their data is stored by encrypting.

Rule 3

Your sessions and cookies must expire.
Make sure disabled users can’t use still to expire cookies.
Perfect authentication token revocation should be implemented.

Rule 4

Never try to track users.

Rule 5

If you store users IP or location, it must be informed

Rule 6

Implement Password complexity and store as salted SHA-256 hash.

Rule 7

Avoid personal security questions, ask users to create custom questions that is not related to their personal things.
Use 2 factor authentication.

Rule 8

Data sharing with 3rd parties must be informed to users.
Like to splunk, google analytics, Azure.

Rule 9

Hacking attempts or breach must be informed to users and government.

Rule 10

User must be able to delete all the data generated by him.
Do a Cascade delete.
Use Nullable foreign key for userid.
Keep only user id while delete, anonymize name, email etc..
Can have a background job to delete.

Rule 11

User must able to map him as restricted.
Back office staff can’t see restricted users data.
Restricted users must not be listed in search results.
Add a Boolean column in your database against user to mark him as restricted.

Rule 12

User must be able to export all his data personnel orders messages etc.
Export format can be JSON, XML,CSV etc.
Can be exported to other vendor.
Can be manual like twitter, send an email later.
May be a background job.

Rule 13

User must be able to edit all his personal info.
After change re validate email , phone if needed.

Rule 14

Ask for consent.
Checkbox for each data processing purpose.
if using for machine learning get consent.
Able to withdraw consent.
Consent management location.
Request new consent via email or app popup.

Rule 15

User must be able to see data

Rule 16

Age check, above 18?
Can be violated do your part.

Rule 17

Anonymous data, don’t use production data in test staging.

Rule 18

Data integrity via checksum, audit trail.

Rule 19

Log access to personal data.
Do not put personnel data in blockchain
Forgotten users id need to keep in separate, because during backup restore data should not come back
Data retention- delete data after some time, let the user decide.

Advertisements

Posted in GDPR | Tagged: , , | Leave a Comment »

ASP.NET Core Server Side And Client Side Exception Logging to SQL Server By Using Serilog and JSNLog

Posted by vivekcek on May 28, 2018

Server side and client side logging is a must feature for most of the production web application.
For server side logging i usually prefer ELMAH, But nowadays they started pricing. So i am going with Serilog.
For client side logging we can use JSNLog.
Due to lack of time i am not going to write a detailed post. But if you follow the steps you are done.
Please note these steps are for ASP.NET Core 2.0 web apps.

1. Create an ASP.NET Core 2.0 Web App.
2. Install the below dependencies.

serilog.aspnetcore

Serilog.Settings.Configuration

Serilog.Sinks.MSSqlServer

JSNLog.AspNetCore

Destructurama.JsonNet

3. Now add two classes CustomLoggingAdapter and LogMessageHelpers as below

using JSNLog;
using JSNLog.Infrastructure;
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;

namespace Logging
{
    public class CustomLoggingAdapter : ILoggingAdapter
    {
        private ILoggerFactory _loggerFactory;

        public CustomLoggingAdapter(ILoggerFactory loggerFactory)
        {
            _loggerFactory = loggerFactory;
        }

        public void Log(FinalLogData finalLogData)
        {
            ILogger logger = _loggerFactory.CreateLogger(finalLogData.FinalLogger);

            Object message = LogMessageHelpers.DeserializeIfPossible(finalLogData.FinalMessage);

            switch (finalLogData.FinalLevel)
            {
                case Level.TRACE: logger.LogTrace("{@logMessage}", message); break;
                case Level.DEBUG: logger.LogDebug("{@logMessage}", message); break;
                case Level.INFO: logger.LogInformation("{@logMessage}", message); break;
                case Level.WARN: logger.LogWarning("{@logMessage}", message); break;
                case Level.ERROR: logger.LogError("{@logMessage}", message); break;
                case Level.FATAL: logger.LogCritical("{@logMessage}", message); break;
            }
        }
    }

    internal class LogMessageHelpers
    {
        public static T DeserializeJson<T>(string json)
        {
            T result = JsonConvert.DeserializeObject<T>(json);
            return result;
        }
        public static bool IsPotentialJson(string msg)
        {
            string trimmedMsg = msg.Trim();
            return (trimmedMsg.StartsWith("{") && trimmedMsg.EndsWith("}"));
        }

        /// <summary>
        /// Tries to deserialize msg.
        /// If that works, returns the resulting object.
        /// Otherwise returns msg itself (which is a string).
        /// </summary>
        /// <param name="msg"></param>
        /// <returns></returns>
        public static Object DeserializeIfPossible(string msg)
        {
            try
            {
                if (IsPotentialJson(msg))
                {
                    Object result = DeserializeJson<Object>(msg);
                    return result;
                }
            }

            catch
            {
            }
            return msg;

        }

        /// <summary>
        /// Returns true if the msg contains a valid JSON string.
        /// </summary>
        /// <param name="msg"></param>
        /// <returns></returns>
        public static bool IsJsonString(string msg)
        {
            try
            {
                if (IsPotentialJson(msg))
                {
                    // Try to deserialise the msg. If that does not throw an exception,
                    // decide that msg is a good JSON string.
                    DeserializeJson<Dictionary<string, Object>>(msg);
                    return true;
                }
            }
            catch
            {
            }
            return false;
        }
        /// <summary>
        /// Takes a log message and finds out if it contains a valid JSON string.
        /// If so, returns it unchanged.
        /// 
        /// Otherwise, surrounds the string with quotes (") and escapes the string for JavaScript.
        /// </summary>
        /// <param name="ms"></param>
        /// <returns></returns>
        public static string EnsureValidJson(string msg)
        {
            if (IsJsonString(msg))
            {
                return msg;
            }
            return HtmlHelpers.JavaScriptStringEncode(msg, true);
        }

    }
}

4. Now update your Program.cs as below.

using System;
using System.IO;
using Destructurama;
using Microsoft.AspNetCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Serilog;

namespace Logging
{
    public class Program
    {
        public static IConfiguration Configuration { get; } = new ConfigurationBuilder()
             .SetBasePath(Directory.GetCurrentDirectory())
             .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
             .AddJsonFile($"appsettings.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production"}.json", optional: true)
             .Build();

        public static void Main(string[] args)
        {
            Log.Logger = new LoggerConfiguration()
                .ReadFrom.Configuration(Configuration)
                .Destructure.JsonNetTypes()
                .CreateLogger();

            BuildWebHost(args).Run();
        }

        public static IWebHost BuildWebHost(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                .UseStartup<Startup>()
                .UseSerilog()
                .Build();
    }
}

5. Update your appSettings.json. You need a SQL database. Logs table will be created automatically.

{
  "connectionStrings": {
    "libraryDBConnectionString": "Server=SQLEXPRESS;Database=Test;Trusted_Connection=True;MultipleActiveResultSets=true;"
  },
  "Serilog": {
    "MinimumLevel": "Error",
    "WriteTo": [
      {
        "Name": "MSSqlServer",
        "Args": {
          "connectionString": "Server=SQLEXPRESS;Database=Test;Trusted_Connection=True;MultipleActiveResultSets=true;",
          "tableName": "Logs",
          "autoCreateSqlTable": true
        }
      }
    ]
  }
}

6. Now add a global extension class AspNetCoreGlobalExceptionHandlerExtension

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Diagnostics;
using Microsoft.Extensions.Logging;
using System;

namespace Logging
{
    public static class AspNetCoreGlobalExceptionHandlerExtension
    {
        public static IApplicationBuilder UseAspNetCoreExceptionHandler(this IApplicationBuilder app)
        {
            var loggerFactory = app.ApplicationServices.GetService(typeof(ILoggerFactory)) as ILoggerFactory;
            return app.UseExceptionHandler(HandleException(loggerFactory));
        }

        public static Action<IApplicationBuilder> HandleException(ILoggerFactory loggerFactory)
        {
            return appBuilder =>
            {
                appBuilder.Run(async context =>
                {
                    var exceptionHandlerFeature = context.Features.Get<IExceptionHandlerFeature>();
                    if (exceptionHandlerFeature != null)
                    {
                        var logger = loggerFactory.CreateLogger("Serilog Global exception logger");
                        logger.LogError(500, exceptionHandlerFeature.Error, exceptionHandlerFeature.Error.Message);

                    }

                    context.Response.Redirect($"/Error/Status/{context.Response.StatusCode}");

                });

            };

        }
    }
}

7. Update your Startup.cs

        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseBrowserLink();
                app.UseDeveloperExceptionPage();
                app.UseAspNetCoreExceptionHandler();
            }
            else
            {
                app.UseAspNetCoreExceptionHandler();
            }

            app.UseStaticFiles();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }

8. Inject logger in your HomeController and throw an exception.

using System;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;

namespace Logging.Controllers
{
    public class HomeController : Controller
    {
        private ILogger<HomeController> _logger;

        public HomeController(ILogger<HomeController> logger)
        {
            _logger = logger;
        }

        public IActionResult Index()
        {
            try
            {
                throw new InvalidOperationException("Exception message");
            }
            catch (ArgumentNullException e)
            {
                _logger.LogError(e.Message, e.InnerException);
                return View("Index");
            }
        }

    }
}

9. Now go to your database table and see the logged exception.

10. Next we will configure JSNLog for client side logging.

11. Add below code in _Layout.cshtml

@*Add to _Layout.cshtml*@
<script src="https://cdnjs.cloudflare.com/ajax/libs/jsnlog/2.26.2/jsnlog.min.js"></script>

12. Update your Startup.cs

using JSNLog;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;

namespace Logging
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }
     
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc();
        }

     
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            if (env.IsDevelopment())
            {
                app.UseBrowserLink();
                app.UseDeveloperExceptionPage();
                app.UseAspNetCoreExceptionHandler();
            }
            else
            {
                app.UseAspNetCoreExceptionHandler();
            }
            // Configure JSNLog
            var jsnlogConfiguration = new JsnlogConfiguration();
            app.UseJSNLog(new LoggingAdapter(loggerFactory), jsnlogConfiguration);

            app.UseStaticFiles();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

13. In the View you can write below codes for logging javascript exceptions and unhandled exceptions.

<script src="https://cdnjs.cloudflare.com/ajax/libs/jsnlog/2.26.2/jsnlog.min.js"></script>
    <script type="text/javascript">

        JL().error("log message");

        // Code included in jsnlog.js to set a handler that logs uncaught JavaScript errors to 
        // the server side log.
     
        if (window && !window.onerror) {
            window.onerror = function (errorMsg, url, lineNumber, column, errorObj) {
                JL("onerrorLogger").fatalException({
                    "msg": "Uncaught Exception",
                    "errorMsg": errorMsg, "url": url,
                    "line number": lineNumber, "column": column
                }, errorObj);

                return false;
            }
        }
    </script>

14. Now see the result in your database.

15. To do the same in WebApi, use below extension.

public static class ApiGlobalExceptionHandlerExtension
    {
        public static IApplicationBuilder UseWebApiExceptionHandler(this IApplicationBuilder app)
        {
            var loggerFactory = app.ApplicationServices.GetService(typeof(ILoggerFactory)) as ILoggerFactory;

            return app.UseExceptionHandler(HandleApiException(loggerFactory));
        }

        public static Action<IApplicationBuilder> HandleApiException(ILoggerFactory loggerFactory)
        {
            return appBuilder =>
            {
                appBuilder.Run(async context =>
                {
                    var exceptionHandlerFeature = context.Features.Get<IExceptionHandlerFeature>();

                    if (exceptionHandlerFeature != null)
                    {
                        var logger = loggerFactory.CreateLogger("Serilog Global exception logger");
                        logger.LogError(500, exceptionHandlerFeature.Error, exceptionHandlerFeature.Error.Message);
                    }

                    context.Response.StatusCode = 500;
                    await context.Response.WriteAsync("An unexpected fault happened. Try again later.");

                });
            };
        }
    }

16 You can use this by.

app.UseWebApiExceptionHandler();

Posted in ASP.NET Core | Tagged: , , , , | Leave a Comment »

Best way to protect ASP.NET Core applications from Cross Site Request Forgery(CSRF)

Posted by vivekcek on May 26, 2018

Hope you understand what is Cross Site Request Forgery(CSRF). If not just google.
ASP.NET Core has built-in support for preventing CSRF, by using a mechanism called AntiForgery Token.
The best way to validate anti forgery token in asp.net core can be done by creating a middleware.

Create a middleware as below.

using System.Threading.Tasks;
using Microsoft.AspNetCore.Antiforgery;
using Microsoft.AspNetCore.Http;

namespace Security
{

    public class ValidateAntiForgeryTokenMiddleware
    {
        private readonly RequestDelegate _next;
        private readonly IAntiforgery _antiforgery;

        public ValidateAntiForgeryTokenMiddleware(RequestDelegate next, IAntiforgery antiforgery)
        {
            _next = next;
            _antiforgery = antiforgery;
        }

        public async Task Invoke(HttpContext context)
        {
            if (HttpMethods.IsPost(context.Request.Method))
            {
                await _antiforgery.ValidateRequestAsync(context);
            }

            await _next(context);
        }

    }
}

Now add the middleware in your startup class.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAntiforgeryTokens();
}

In ASP.NET Core 2.0 or later, the FormTagHelper injects antiforgery tokens into HTML form elements.
So you don’t need to do anything in your view.

<form method="post">
    ...
</form>

If you want to disable antiforgery token in view do this.

<form method="post" asp-antiforgery="false">
    ...
</form>

To read about more, how to generate token from Javascript refer this link.
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.0

Posted in ASP.NET Core | Leave a Comment »

EF Core DbContext in separate library

Posted by vivekcek on May 26, 2018

I was designing an ASP.NET core application with a layered architecture, and decided to keep my DbContext in a separate class library project.
This is normal in layered architecture right?. But when i tried to create migration got some strange error.

After some googling i found that we need to add below code in our library , when our DbContext and models are in separate class library.

Add below code in the library where your DbContext is, Here MyDbContext is the name of DbContext.

using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Design;

namespace DataLayer
{
    public class MyContextFactory : IDesignTimeDbContextFactory<MyDbContext>
    {
        public MyDbContext CreateDbContext(string[] args)
        {
            var builder = new DbContextOptionsBuilder<MyDbContext>();
            builder.UseSqlServer("Server=MyServer;Database=MyDatabase;Trusted_Connection=True;MultipleActiveResultSets=true");
            return new MyDbContext(builder.Options);
        }
    }
}

Posted in EfCore | Leave a Comment »